Commit 0723275e4 for imagemagick.org
commit 0723275e4b4ec46238898a921cc47f5f0a00928a
Author: Cristy <urban-warrior@imagemagick.org>
Date: Wed Jan 28 19:20:36 2026 -0500
block fd: filenames in security policies
diff --git a/config/policy-secure.xml b/config/policy-secure.xml
index a650102b1..bc2763b72 100644
--- a/config/policy-secure.xml
+++ b/config/policy-secure.xml
@@ -90,6 +90,7 @@
<policy domain="filter" rights="none" pattern="*"/>
<!-- Don't read/write from/to stdin/stdout. -->
<policy domain="path" rights="none" pattern="-"/>
+ <policy domain="path" rights="none" pattern="fd:*"/>
<!-- don't read sensitive paths. -->
<policy domain="path" rights="none" pattern="/etc/*"/>
<!-- Indirect reads are not permitted. -->
diff --git a/config/policy-websafe.xml b/config/policy-websafe.xml
index e23a475a0..9c7a5b8c9 100644
--- a/config/policy-websafe.xml
+++ b/config/policy-websafe.xml
@@ -86,6 +86,7 @@
<policy domain="filter" rights="none" pattern="*"/>
<!-- Don't read/write from/to stdin/stdout. -->
<policy domain="path" rights="none" pattern="-"/>
+ <policy domain="path" rights="none" pattern="fd:*"/>
<!-- don't read sensitive paths. -->
<policy domain="path" rights="none" pattern="/etc/*"/>
<!-- Indirect reads are not permitted. -->
diff --git a/www/security-policy.html b/www/security-policy.html
index 3e67dbd88..e253c4177 100644
--- a/www/security-policy.html
+++ b/www/security-policy.html
@@ -331,6 +331,7 @@
<policy domain="filter" rights="none" pattern="*"/>
<!-- Don't read/write from/to stdin/stdout. -->
<policy domain="path" rights="none" pattern="-"/>
+ <policy domain="path" rights="none" pattern="fd:*"/>
<!-- don't read sensitive paths. -->
<policy domain="path" rights="none" pattern="/etc/*"/>
<!-- Indirect reads are not permitted. -->
@@ -533,4 +534,4 @@ Path: [built-in]
~
</body>
</html>
-<!-- Magick Cache 3rd October 2025 23:49 -->
\ No newline at end of file
+<!-- Magick Cache 3rd October 2025 23:49 -->